diff options
author | Max Bires <jbires@google.com> | 2017-11-29 14:38:48 -0800 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2017-12-14 21:14:30 +0000 |
commit | 65423d0573db2b63d187fc0fa042cc35261ab2ef (patch) | |
tree | 9efbd9228978118d6882c9220cddd4c96d59aced | |
parent | 7c9c67d8fe73dd06582b5098f9710a786c60564a (diff) | |
download | security-65423d0573db2b63d187fc0fa042cc35261ab2ef.tar.gz |
Fixing security vuln by tightening race condition window.
A proper fix for this feature requires reworking binder permission
checking to take the selinux context and not the pid. This is feature
work that should be done for P to properly fix these race conditions
that occur elsewhere in the code.
Bug: 68217699
Test: KeyStore keygen permissions cannot be bypassed through PID cycling
Change-Id: I1ba5210010d6c413c9b1dbde3df0cc566400bfac
Merged-In: I1ba5210010d6c413c9b1dbde3df0cc566400bfac
(cherry picked from commit ef4f067c03543d8c8f2f8218bc69af12692ba000)
(cherry picked from commit 05fbbe5f3d47454a85da374cad9b54e4978c2c70)
-rw-r--r-- | keystore/key_store_service.cpp | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp index eb5fe86b..be13a7b2 100644 --- a/keystore/key_store_service.cpp +++ b/keystore/key_store_service.cpp @@ -693,6 +693,8 @@ KeyStoreServiceReturnCode KeyStoreService::generateKey(const String16& name, const hidl_vec<uint8_t>& entropy, int uid, int flags, KeyCharacteristics* outCharacteristics) { + // TODO(jbires): remove this getCallingUid call upon implementation of b/25646100 + uid_t originalUid = IPCThreadState::self()->getCallingUid(); uid = getEffectiveUid(uid); KeyStoreServiceReturnCode rc = checkBinderPermissionAndKeystoreState(P_INSERT, uid, flags & KEYSTORE_FLAG_ENCRYPTED); @@ -705,7 +707,10 @@ KeyStoreServiceReturnCode KeyStoreService::generateKey(const String16& name, } if (containsTag(params, Tag::INCLUDE_UNIQUE_ID)) { - if (!checkBinderPermission(P_GEN_UNIQUE_ID)) return ResponseCode::PERMISSION_DENIED; + if (!checkBinderPermission(P_GEN_UNIQUE_ID) && + originalUid != IPCThreadState::self()->getCallingUid()) { + return ResponseCode::PERMISSION_DENIED; + } } bool usingFallback = false; |